What is the best practice to disable directory browsing on an apache2 webserver? I am thinking disabling this at the httpd.conf would restrict browsing even if somebody gained access to the .htaccess file on the webserver and enabled directory browsing? Thoughts?
It's simpler via the server config but htaccess is often the only way. Especially on shared hosting.
If someone manipulates the htaccess file you don't need to protect your files. In that case it is already too late.
Related
I am a beginner to Zend framework and I want to know more about the .htaccess file and its uses. Can somebody help me?
I found an example like this:
.htacess file
AuthName "Member's Area Name"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html
AddHandler server-parsed .html
It's not part of PHP; it's part of Apache.
http://httpd.apache.org/docs/2.2/howto/htaccess.html
.htaccess files provide a way to make configuration changes on a per-directory basis.
Essentially, it allows you to take directives that would normally be put in Apache's main configuration files, and put them in a directory-specific configuration file instead. They're mostly used in cases where you don't have access to the main configuration files (e.g. a shared host).
.htaccess is a configuration file for use on web servers running the
Apache Web Server software.
When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software.
These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.
These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
Whenever any request is sent to the server it always passes through .htaccess file. There are some rules are defined to instruct the working.
Below are some usage of htaccess files in server:
1) AUTHORIZATION, AUTHENTICATION: .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by an .htpasswd file which stores valid usernames and their passwords.
2) CUSTOMIZED ERROR RESPONSES: Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found.
Example : ErrorDocument 404 /notfound.html
3) REWRITING URLS: Servers often use .htaccess to rewrite "ugly" URLs to shorter and prettier ones.
4) CACHE CONTROL: .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.
More info : http://en.wikipedia.org/wiki/Htaccess
You are allow to use php_value to change php setting in .htaccess file. Same like how php.ini did.
Example:
php_value date.timezone Asia/Kuala_Lumpur
For other php setting, please read http://www.php.net/manual/en/ini.list.php
Htaccess is a configuration file of apache which is used to make changes in the configuration on a directory basis.
Htaccess file is used to do changes in functions and features of the apache server.
Htaccess is used to rewrite the URL.
It is used to make site address protected.
Also to restrict IP addresses so on particular IP address site will not be opened
You can think it like php.ini files sub files.. php.ini file stores most of the configuration about php like curl enable disable. Where .htaccess makes this setting only for perticular directory and php.ini file store settings for its server' all directory...
It is not so easy to give out specific addresses to people say for a conference or a specific project or product.
It could be more secure to prevent hacking such as SQL injection attacks etc.
.htaccess file create in directory /var/www/html/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
</IfModule>
What
A settings file for the server
Cannot be accessed by end-user
There is no need to reboot the server, changes work immediately
It might serve as a bridge between your code and server
We can do
URL rewriting
Custom error pages
Caching
Redirections
Blocking ip's
I am about to start learning Apache. All resources I am looking into, mention either php.ini, or .htaccess or httpd.conf files for setting configurations and stuff. But none of them are clear on the difference between these 3 files. Can anyone explain the difference and their usage?
httpd.conf (it can actually be named differently on some platforms, but that's the default) is the master configuration file for Apache. You can use Include statements to pull in external configuration files. httpd.conf is read in when Apache starts or if you run a 'reload'.
.htaccss is a per-directory configuration file for Apache. You can enable or disable the use of .htaccess files in your httpd.conf file. Where possible its been recommended to me to turn .htaccess use off, as Apache will check the file every time a request causes it to read the directory.
PHP is, as you probably know, separate from Apache, although often used with it. php.ini is the configuration file for the PHP engine.
Every daemon or application has it's own configuration files. On linux these are often located in the /etc directory. You will have to learn to edit each one according to the program. the /etc/php5/php.ini is different from the /etc/apache2/httpd.conf and so on.
Think of them like different types of files. a Word document is not the same as a JPEG Image or a AVI video.
The PHP.ini controls PHP's settings
The .htaccess controls apache settings for a given folder (and all child folders)
The httpd.conf controls apache's settings.
php.ini is a configuration file where you specify options for things
related specifically to php, for instance CURL
.htaccess is where you specify options for URI routing and folders
options on your server
httpd.conf is a configuration file where you specify options for
things related specifically to apache
I have to redirect bulk of pages to new URL's and if I put all them in .htaccess file, will it get overload and decrease site's performance..??
Please let me know if there are any alternatives to dynamically edit .htaccess file.
Thanks
First notice that using .htaccess files or even allwing the use of .htaccess file is decreasing performances. As you are telling Apache to make I/O on the filesystem, seeking for .htaccess files on the directory tree. So for a better performance having a AllowOverride None on a <Directory /> (so from the root directory) is better, and of course you should'nt modify the AllowOverride setting in any subdirectory.
Now, if you a .htacess with a lot of rules, or a <Directory /path/to/my/directory> with a lot of rules, which is quite the same, except the second version will be read on startup and not for every request, then you will of course slow down youyr apache process as he must check all the rules. But this is usually quite fast. The best thing is to track it via some tools like autobench, httpperf, webinject, ab, etc.
There is a way in mod_rewrite to speed up the rewriting process when you all a lot of rules using the same scheme. It's RewriteMap. When using rewriteMap with a hash file you will of course have something with better speed. But rewriteMap requires that you forget about .htaccess dumb files and that you really use apache configuration files to edit your apache configuration (/etc/apache/*). So you need an adminisstrative access on this configuration.
And at the end of your question you are talking about editing dynamically your .htaccess. If your rewrites are really dynamic I would forget about using the webserver to handle that, and push the rewriting policy into the application code (PHP/C#/etc). Or you could also use the prg: option of rewriteMap and write your own perl, python or anything else daemon script, called by apache's mod-rewrite on each request, providing the rewrite policy. And the rewriting performance will then depend on your programing skills.
I belived, it will not degrade the perfomance in huge , althout the overload on apache server will definately increses....It's also depend on your bandwidth and speed of RAM on your server, if it is good then, I belived you will find any mager issue..
In my local environment, I am using WAMP, which allow me add /remove module dynamically, you can use cpanel also, which allow you add/edit many items dynamically for your apache server
http://docs.cpanel.net/twiki/bin/view/EasyApache3/WebHome
In Addition, you can active and set your virtual host setting uncommeting below lines from your httpds.conf file
LoadModule vhost_alias_module modules/mod_vhost_alias.so
Virtual hosts
Include conf/extra/httpd-vhosts.conf and afterword you can add you all your hundres of virtual host in same file i.e conf/extra/httpd-vhosts.conf
I have an Apache server installed on my windows machine using XAMPP. Now I'm trying to use a premade .htaccess file for one of my projects, but it doesn't seem to be seeing it. The project just totally ignores it, even though I've enabled mod_rewrite.
Any idea how I can troubleshoot this? I can't fix it if it just doesn't work and doesn't show me any errors.
Appreciate your help.
In your httpd.conf file, you must enable .htaccess overriding with AllowOverride for the directory where the .htaccess file is (or parent thereof). If it is set to 'None', the .htaccess files will be ignored.
I'm starting up a new web-site, and I'm having difficulties enforcing my desired file/folder organization:
For argument's sake, let's say that my website will be hosted at:
http://mywebsite.com/
I'd like (have set up) Apache's Virtual Host to map http://mywebsite.com/ to the /fileserver/mywebsite_com/www folder.
The problem arises when I've decided that I'd like to put a few files (favicon.ico and robots.txt) into a folder that is ABOVE the /www that Apache is mounting the http://mywebsite.com/ into
robots.txt+favicon.ico go into => /fileserver/files/mywebsite_com/stuff
So, when people go to http://mywebsite.com/robots.txt, Apache would be serving them the file from /fileserver/mywebsite_com/stuff/robots.txt
I've tried to setup a redirection via mod_rewrite, but alas:
RewriteRule ^(robots\.txt|favicon\.ico)$ ../stuff/$1 [L]
did me no good, because basically I was telling apache to serve something that is above it's mounted root.
Is it somehow possible to achieve the desired functionality by setting up Apache's (2.2.9) Virtual Hosts differently, or defining a RewriteMap of some kind that would rewrite the URLs in question not into other URLs, but into system file paths instead?
If not, what would be the preffered course of action for the desired organization (if any)?
I know that I can access the before mentioned files via PHP and then stream them - say with readfile(..), but I'd like to have Apache do as much work as necessary - it's bound to be faster than doing I/O through PHP.
Thanks a lot, this has deprived me of hours of constructive work already. Not to mention poor Apache getting restarted every few minutes. Think of the poor Apache :)
It seems you are set to using a RewriteRule. However, I suggest you use an Alias:
Alias /robots.txt /fileserver/files/mywebsite_com/stuff/robots.txt
Additionally, you will have to tell Apache about the restrictions on that file. If you have more than one file treated this way, do it for the complete directory:
<Directory /fileserver/files/mywebsite_com/stuff>
Order allow,deny
Allow from all
</Directory>
Can you use symlinks?
ln -s /fileserver/files/mywebsite_com/stuff/robots.txt /fileserver/files/mywebsite_com/stuff/favicon.ico /fileserver/mywebsite_com/www/
(ln is like cp, but creates symlinks instead of copies with -s.)